NEWS

NEWS

Off the Beat * Bruce Byfield

Finding a DRM-Free Replacement for Firefox By now, you may have read Mozilla's reluctant decision to ship with the ability to support Encrypted Media Extensions (EME) in Firefox. Consequently, you may be starting to look for a DRM-free replacement for Firefox.

The Mysteries of Positioning Pictures in LibreOffice & OpenOffice Positioning pictures has been a problem ever since LibreOffice and OpenOffice were OpenOffice.org – possibly before. Inserting graphics is no problem, but try to anchor, align, or indent, and the picture changes position, sometimes to a different place entirely on the page.

Productivity Sauce * Dimitri Popov

Automated Photo Sharing with Photocrumbs Using a simple Bash script and a cron job, you can turn Photocrumbs into an automated photo sharing bot.

GeoLog: A Different Kind of Location Tracking App Plenty of Android apps let you track and record your movements, but GeoLog is an app that offers a different approach to tracking location. GeoLog gathers location data depending on your activity.

Extension Watch: Search Anonymously with Searchonymous for Firefox Searchonymous is a really neat Firefox add-on that anonymizes your Google searches transparently, leaving your search preferences intact and keeping you logged in to other Google services like Gmail and YouTube.

ADMIN HPC

You need more than just a scalable infrastructure in the cloud; you also need a high-performance storage component. We look at Ceph, a distributed object store and filesystem that pairs well in the cloud with OpenStack.

Hadoop for All By Anna Kobylinska and Filipe Martins

Hadoop 2.x and its associated tools promise to deliver big data solutions not just to the IT-heavy big players, but to anyone with unstructured data and the need for multidimensional data analysis.

ADMIN Online

SmartOS brings together the best of Linux and Solaris to implement a virtualization platform with ZFS and KVM.

Acquiring a Memory Image By David J. Dodd

Be ready before disaster strikes. We describe some tools you should have on hand to obtain a memory image of an infected system.

New versions of the Endian and Sophos UTM Solution By Thomas Zeller UTM systems combat all kinds of dangers under the Unified Threat Management policy.

Firefox Says Yes to DRM

The Mozilla Foundation, maker of the Firefox open source browser, has agreed that Firefox will support the Encrypted Media Extensions (EME) standard, which will enable DRM extensions to control copy-protected video used by vendors such as Netflix. Mozilla has teamed with Adobe to create what they call the Content Decryption Module (CDM), a DRM-based sandbox for playing copy-protected video. The CDM will carry a proprietary software license. Because Firefox is open source, CDM will not ship with the download version of the tool but will be installed as an extension with the user's permission if it is needed to play a video.

Although the decision to support DRM has caused a firestorm within the open source community, Mozilla says its greater fear was that the lack of support for streaming proprietary video was forcing users to adopt other browsers. Understandably, the Free Software Foundation has stated its strong opposition to the decision. According to FSF executive director John Sullivan, "The Free Software Foundation is deeply disappointed in Mozilla's announcement. The decision compromises important principles in order to alleviate misguided fears about loss of browser market share. It allies Mozilla with a company hostile to the free software movement and to Mozilla's fundamental ideals."

Since Firefox is open source code, anyone can modify the code base to remove features and release a new version. The FSF expects that a new non-EME fork of the Firefox code will appear soon. Of course, the Debian project has already forked the Firefox code to produce the all-free Iceweasel browser, which will undoubtedly refrain from integrating the new DRM components.

New Attack Vector Could Compromise Wireless Logins

The Heartbleed attack vector, which is capable of compromising OpenSSL encrypted connections, caused a stir in the open source community recently, even leading to the establishment of the new Core Infrastructure Initiative for updating and supporting FOSS projects that are key to the success of the Internet. Just when everyone thought the Heartbleed scare was over, Portuguese security researcher Luis Grangeia described a new attack vector based on Heartbleed that affects the EAP (Extensible Authentication Protocol) authentication framework used with wireless and peer-to-peer connections.

According to Grangeia, "cupid is the name I gave to two source patches that can be applied to the programs 'hostapd' and 'wpa_supplicant' on Linux. These patches modify the programs' behavior to exploit the heartbleed flaw on TLS connections that happen on certain types of password-protected wireless networks."

Grangeia goes on to point out, "It is not necessary to fully establish a TLS connection to perform the heartbleed attack. No actually keys or certificates need be exchanged. I have found out it [is] possible to send and receive heatbleed responses right after a 'Client Hello' message (before certificates are presented or sessions keys are exchanged."

If you have not applied the patches that circulated following the original Heartbleed scare earlier this year, you are advised to do so immediately. As for the new cupid vector, be advised that services that use EAP could be at risk. Watch for security updates from your Linux distribution.

Linux 3.15 Released

Linux founder Linus Torvalds has announced the official release of Linux kernel 3.15. Pre-release versions of the latest Linux have received considerable attention for vastly superior performance on suspend and resume functions. Tests have shown a 10-fold reduction in wait time for systems awakening from the suspend-to-disk state. Version 3.15 also includes some significant fixes and improvements to the kernel-based KVM virtualization system.

As always, these changes won't have an immediate effect on the average user. Users who want to experiment with or integrate the Linux 3.15 kernel can download it from the Linux kernel archives. Linux 3.15 will eventually make its way to your system through a future release of your favorite Linux distribution. Given the history of past problems with Linux power management and the heralded suspend and resume improvements promised in 3.15, Linux vendors will make it a priority to ramp up support for the new kernel.

Geeks Petition for Free Lenovo BIOS

Software developer Evan Carroll and several colleagues have started a petition at Change.org calling for Lenovo to end its practice of building a hardware whitelist into the BIOS as a means of excluding devices the company does not support. Critics complain that this practice excludes some devices and drivers that the system actually supports, just because Lenovo doesn't happen to have a business agreement with the device vendor. In other words, the exclusion has no technical purpose. For instance, a WiFi adapter by a manufacturer that is officially approved by Lenovo is allowed access to the system, but another adapter with an identical chipset is excluded by the BIOS.

The petition calls for Lenovo to release an "unencumbered" version of the BIOS and states, "We request the option to purchase third-party miniPCI-E cards and install them into the laptops we purchased."

Webcam Hijackers Busted

Police around the world have cracked down on users of the infamous Blackshades malware tool, which is thought to infect over half a million computers in 100 countries. Ninety-seven people in 16 countries were arrested nearly simultaneously to prevent tip-offs through the shadowy network of the hacker underground.

Blackshades lets the attacker encrypt and lock files, forcing the victim to pay a ransom, and it also has the ability to intercept keystrokes, which helps the attacker discover passwords. Perhaps the best known features is the Blackshades Remote Access Tool ( or "RAT"), which highjacks the victim's webcam. Widespread reports highlight the problem of attackers using Blackshades to capture videos and still pictures of victims in their bedroom. The California teen convicted of video recording the future Miss Teen USA in her bedroom reportedly had Blackshades on his computer. Several news sources say Blackshades co-developer, American Michael Hogue, was arrested in 2012 and is cooperating with law enforcement officers. Reports also state that Blackshades owner Alex Yucel was arrested in Moldova last year.

Slow Down on SPDY?

A prominent FOSS programmer has called for a reset of the adoption process for the new HTTP 2.0 web protocol. Poul-Henning Kamp, who is most closely associated with the FreeBSD project but also supports Linux, is the lead developer for the Varnish cache HTTP accelerator and a participant in the World Wide Web Consortium's HTTP working group. In a recent post to the HTTP Working Group list, Kamp argues that the process for developing the HTTP 2.0 standard has so far been driven more by time constraints than the desire to achieve the best possible outcome.

In 2012, the Internet Engineering Task Force (IETF) adopted Google's SPDY protocol as a basis for building the next generation web protocol, HTTP 2.0. The goal of the HTTP process is to fix some underlying problems with the current standard (HTTP 1.1) but still retain compatibility with HTTP 1.1 syntax. Google's experimental SPDY protocol was adopted for its reported performance improvements and a more sophisticated session management architecture. Among the benefits of SPDY is that the user interacts with the web server through a single TCP channel, reducing the overhead for sending and receiving control information.

Kamp argues that SPDY was "a very good and worthwhile prototype" but said the integration and adoption into HTTP 2.0 has been a "fiasco" driven by a tight schedule for 2.0 adoption. He states the working group has "wasted a lot of time and effort trying to goldplate over the warts and mistakes" in SPDY. He credits the SPDY protoype for showing the need for improvement in HTTP 1.1 but quotes famous writer and computer scientist Fred Brooks with the adage, "Always throw the prototype away."

A public debate about a standards process is not unusual (debate being the reason for the standards process); however, in light of current controversies regarding privacy and cryptography on the web, this call to slow down could find a ready audience with other developers and decision makers in the web standards community.

Google Creates Extension for PGP Encryption in Webmail

Google has released a extension for the Chrome browser that simplifies email encryption for webmail users. The End-to-End extension is designed to let Gmail users implement email encryption through the Pretty Good Privacy (PGP) program.

The standard webmail system handles user interaction through a browser-based HTTP session. However, an email message is sent through a chain of mail servers on its way to the destination address. Google estimates that only half of the email that passes through Gmail to other providers is actually encrypted all the way from the starting server to the destination. The new End-to-End extension will ensure that the message will be encrypted as it passes through the chain of mail servers.

The End-to-End extension is currently in an alpha pre-release version. The source code is available for experiment by security experts and testers. As Google developer Stephan Somogyi explains in a blog entry, Google wants to receive comments and improvements from the community before releasing a final version that will then be available in the Chrome Web Store.

New Zealand Supercomputer Hacked

The $12.7 million FitzRoy supercomputer housed at New Zealand's National Institute of Water and Atmospheric Research (NIWA) was reportedly the subject of an Internet attack. An unknown intruder apparently broke into the system last week. According to NIWA chief exec John Morgan, the Institute "immediately isolated" the computer as soon as the attack was detected (presumably meaning they unplugged the network cable).

At this time, it doesn't appear that the attack reached beyond the supercomputer itself; however, forensics experts are still working on their report. Some news sources have speculated that the attacker was based in China, but NIWA has not confirmed the place of origin.

As impressive and expensive as scientific supercomputers are, the actual financial or espionage benefit of hacking into one seems unclear. The ultimate purpose might have been to gain access to other systems that happen to connect. This attack is a warning shot for the scientific community to pay attention and stay vigilant.

Google Launches Quantum Computing Playground

Google has added a new tool to its gallery of online tools known as the Chrome Experiments. The new Quantum Computing Playground offers access to a computing environment that simulates the behavior of a quantum computer. According to Google, the Quantum Computing Playground "can efficiently simulate quantum registers up to 22qbits, run Grover's and Shor's algorithms, and has a variety of quantum gates built into the scripting language itself."

Google believes this online quantum computing simulator will let scientists begin to experiment with quantum programming before a real, fully functional quantum computer reaches the market. Google recommends using the Chrome browser if you want to experiment with the Quantum Computing Playground. You'll also need a graphics card that supports WebGL.

You might be thinking that, if the Quantum Computing Playground simulates a quantum computer, behaves like a quantum computer, and executes quantum algorithms, perhaps one could say that it actually is a quantum computer, even if it the hardware does not operate on quantum mechanical principles. That all depends on your definitions, but keep in mind that a simulated quantum computer would not offer any of the astounding speed advantages a real quantum computer can achieve through the superposition of quantum states.

IANA Hands Out Recovered IPv4 Addresses

The IPv4 address allocation process has reached a new stage. Leftover fragmententary and returned address blocks in IANA inventory will be placed in a "Recovered IPv4 Pool." When any of the Regional Internet Registries (RIRs) reaches less than /9 of its available address allocation (i.e., 8,388,608 addresses), the pool will become active.

The Latin American registry LACNIC announced it is down to its last /9 address block, which activates the Recovered IPv4 Address Pool. The five RIRs around the world will thus receive an additional allotment of IPv4 addresses to distribute to second-tier providers. This final barrel-scraping of IPv4 addresses will not feed the world's address appetite for long, so IPv6 adoption is the only long-term solution.